Checking Windows 7 for Infections
The easiest way to check if your system is violated with DNS Changer malware is to go to one of the “are you infected sites” (see below). These sites only require someone to visit. The “are you infected site” will inform you if you are infected.
Note: These sites only detect for DNS Changer. You might be infected with other malware. Please take appropriate precautions to protect your computer.
|www.dns-ok.us||English||DNS Changer Working Group (DCWG)|
|www.dns-ok.de||German||Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)|
|www.dns-ok.fi||Finnish, Swedish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.ax||Swedish, Finnish, English||CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.|
|www.dns-ok.be||Dutch/French||CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.|
|www.dns-ok.fr||French||Le CERT-LEXSI est la division de veille et d'enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.|
|www.dns-ok.ca||English/French||Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)|
|www.dns-ok.lu||English||CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT - CERT) coordination center for the Grand-Duchy of Luxembourg|
|www.dns-ok.nl||Dutch||SIDN (the Foundation for Internet Domain Registration in the Netherlands)|
|dns-ok.gov.au||English||CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information|
|dns-changer.eu||German, Spanish, English||ECO (Association of the German Internet Industry)|
|dnschanger.detect.my||Malaysian, English||Hosted by CyberSecurity Malaysia and MYCERT|
|dns-ok.jpcert.or.jp||Japanese||JPCERT/CC - Japan Computer Emergency Response Team Coordination Center|
|www.dns-ok.it||Italiano||Telecom Italia Security Operation Center - IT.TS.SOC|
Manually Checking for DNS Changer Infections
The following are the original manual checks to see if you computer is infected with any of the DNS Changer malware.
ipconfig /allcompartments /all
and hit enter. (Windows users might be used to just typing “ipconfig /all“. This also works, but might not list all the routing compartments if you have a VPN setup in Windows7.)
The output will be very long, since Windows7 by default has support for IPv6. Most likely, you want to look for the IPv4 information under the section entitled “Ethernet adapter…”. Look for the “DNS Servers” line, and write down these numbers. There may be two IP addresses listed there.
Are Your DNS Settings OK?
The malicious Rove viruses changed some peoples DNS settings to use computers they operated. Compare your DNS settings with the known malicious Rove DNS settings listed below:
|Starting IP||Ending IP||CIDR|
What if I’m infected?
If you computer is infected, please refer to our page that list tools to clean DNS Changer and other self help guides to clean your computer – http://www.dcwg.org/fix/